[asterisk-bugs] [JIRA] (ASTERISK-25338) Failed to authenticate device messages don't report connection ip

John Fawcett (JIRA) noreply at issues.asterisk.org
Sun Aug 23 11:31:32 CDT 2015 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-25338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=227338#comment-227338 ] 

John Fawcett commented on ASTERISK-25338:
-----------------------------------------

Thanks, the security log did contain the remote ips, so I will use that for monitoring. This probably means that I can do away with having fail2ban watch the messages log if every authentication event is also logged to the security log. Also much of fail2ban's regex for asterisk can be elminated leaving only the one that matches on security log format. This issue can be closed.

> Failed to authenticate device messages don't report connection ip
> -----------------------------------------------------------------
>
>                 Key: ASTERISK-25338
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25338
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/Security Framework
>    Affects Versions: 11.19.0
>         Environment: Centos 7.1
>            Reporter: John Fawcett
>            Severity: Minor
>
> I use fail2ban to parse asterisk logs and block ips originating failed authentication attemps. I noticed that fail2ban picks up requests which included my own external ip (w.x.y.z in the log below). While I can whitelist my ip in fail2ban, it is a missed opportunity to block the real ip from which the attack is coming.
> Would it be possible to log the source ip rather than the my ip which I presume was forged in the sip header?
> Example log mesasge containing my ip w.x.y.z
> [2015-08-22 23:55:47] NOTICE[9171][C-000000b4] chan_sip.c: Failed to authenticate device 401<sip:401 at w.x.y.z>;tag=9988cc3e
> Example invite request showing the real ip is 199.48.164.236
> <--- SIP read from UDP:199.48.164.236:5071 --->
> INVITE sip:000972597803794 at w.x.y.z SIP/2.0
> To: 000972597803794<sip:000972597803794 at w.x.y.z>
> From: 401<sip:401 at w.x.y.z>;tag=9988cc3e
> Via: SIP/2.0/UDP 199.48.164.236:5071;branch=z9hG4bK-9605c9e790e0d0dd9b8445fa89c72c50;rport
> Call-ID: c2746e206bee6ac4d99357b08827a641
> CSeq: 2 INVITE
> Contact: <sip:401 at 199.48.164.236:5071>
> Max-Forwards: 70
> Allow: INVITE, ACK, CANCEL, BYE
> User-Agent: sipcli/v1.8
> Content-Type: application/sdp
> Authorization: Digest username="401",realm="asterisk",nonce="08fb1042",uri="sip:000972597803794 at w.x.y.z",response="77a5c887dbd175ab54fb30a0d6b12ca4",algorithm=MD5
> Content-Length: 284



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list